[jcifs] Question about NT Domains

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Wed Jun 12 13:16:22 EST 2002 

> -----Original Message-----
> From:	Tony Thompson [SMTP:tony.thompson at stone-ware.com]
> Sent:	Tuesday, June 11, 2002 10:51 PM
> To:	Michael_B_Allen at ml.com
> Subject:	RE: [jcifs] Question about NT Domains
> 
> OK, here is a trace from a Win98 machine.  It still looks different.  If you look at packet #13,
> I am guessing that is where the password is set but, it looks completely different from what
> I would expect.  According to the document you clued me in on, the parameter descriptor
> string should be "zsT".  The descriptor in that packet is "zb16b16WW" (I think).  I couldn't
> even find that in the cifsrap2.doc.
> 
	Opps, that appears to be a another RAP call for changing your password. I have not heard of
	SetUserPassword (115). There are hundreds of RAP calls. I seem to be at a loss as to how
	to capture a SamOEMChangePassword call. I suppose an early version of smbclient might
	do it. You could probably get Win98 to do it too you just need to provoke it in the right way.
	Does anyone have an Ethereal pcap of SamOEMChangePassword or know exactly how Tony
	can get one?

> I am not sending the wrong password so, I must be building the request incorrectly.
> 
	You really need a pcap. You'll never get it right without one. At least I never could.

	Otherwise, your code looks really close,
	Mike

> I am attaching my source code as well.  I don't know if you can see anything obviously wrong with that.
> 
> Thanks for your help.
> Tony
> 
> >>> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> 06/11/02 08:56PM >>>
> Your password changing utility is using DCE/RPC which is why it looks nothing like your other trace. The
> jcifs trace looks like a strait forward wrong password to me. Try capturing a Win98 machine. It' can't do
> DCE/RPC.
> 
> Mike
> 
> > -----Original Message-----
> > From:	Tony Thompson [SMTP:tony.thompson at stone-ware.com] 
> > Sent:	Tuesday, June 11, 2002 9:43 PM
> > To:	Michael_B_Allen at ml.com 
> > Subject:	RE: [jcifs] Question about NT Domains
> > 
> > I grabbed the BouncyCastle code.  There is an RC4 engine in there that I can use.
> > 
> > I am having an issue with trying to get this thing working.  Here is the exception that I am getting:
> > 
> > jcifs.smb.SmbException: Invalid operation for IPC service
> >         at jcifs.smb.SmbTree.send(SmbTree.java:86)
> >         at jcifs.smb.SmbFile.send(SmbFile.java:499)
> >         at jcifs.smb.SmbFile.changePassword(SmbFile.java:1420)
> >         at Test.main(Test.java:137)
> > 
> > Attached are two Sniffer trace files.
> > 
> > passwd.cap - is a trace of a command line utility that I grabbed off the net to change my password (it works).
> > 
> > jcifs_pass.cap - is a trace of the code I added to jCIFS.
> > 
> > Can you point me to something specific in the trace (i.e. a packet #, etc.) that I can use to compare the two traces to try and figure out what I am doing wrong?  I haven't really dug into this
> > stuff at the wire level before so I am not quite sure what I am looking for just yet.
> > 
> > Thanks.
> > Tony
> > 
> > >>> "Allen, Michael B (RSCH)" <Michael_B_Allen at ml.com> 06/10/02 07:52PM >>>
> > RC4 is a very simple algorithm. A very simple search on google turned up numerous RC4.java classes.
> > 
> > > -----Original Message-----
> > > From:	Tony Thompson [SMTP:tony.thompson at stone-ware.com] 
> > > Sent:	Monday, June 10, 2002 8:07 PM
> > > To:	miallen at eskimo.com 
> > > Cc:	jcifs at samba.org 
> > > Subject:	Re: [jcifs] Question about NT Domains
> > > 
> > > It looks like the E() is what I need to do the one way transformation (partially).  If the old password is longer than 8 bytes, I have to concatenate several results from E().
> > > 
> > > But, I still need to do RC4 encryption on the two passwords.  I don't think that RC4 encryption is part of the JCE or, even if it was, that you would want jCIFS dependent on the JCE.  What do
> the
> > > Samba "guys" do?  Is there anything that we can use to do this?
> > > 
> > > >>> "Michael B. Allen" <miallen at eskimo.com> 06/07/02 08:10PM >>>
> > > On Fri, 07 Jun 2002 15:12:30 -0500
> > > "Tony Thompson" <tony.thompson at stone-ware.com> wrote:
> > > 
> > > > I decided to try and tackle this but, I am having a couple of issues.  According to the cifsrap2.doc, an RC4 encryption must be performed on the old password before it is sent.  I didn't see
> > > anything hanging around in jCIFS that would do this.  Any suggestions?
> > > > 
> > > > A one way transformation must also be performed on the old password.  The document describes the gyrations required to do this but, one of the elements of the transformation is "an 8 byte
> string
> > > whose value is available from Microsoft upon request".  Any idea what this string might be or how to get it?
> > > > 
> > > > Is there something already in jCIFS that would do all of the above for me (i.e. is this same type of thing used anywhere else)?  I know it is a long shot but, I had to ask.
> > > 
> > > Look  at  the  top  of jcifs/smb/SmbSession.java. You can in all likelyhood
> > > just  use  the  E()  method.  It's  probably  very similar but i don't know
> > > really.  It will take some fiddling and reasoning. You don't really need to
> > > know much about encryption to do it but you might want to get a capture and
> > > copy  out  the  encrypted  value  of  a known password so you can test your
> > > encryption method. 
> > > 
> > > Mike
> > > 
> > > -- 
> > > http://www.eskimo.com/~miallen/c/jus.c 
> > > 
> > > 
> > > 
> > 
> >  << File: passwd.cap >>  << File: jcifs_pass.cap >> 
>  << File: 98_pass.cap >>  << File: SamOemChangePasswordResponse.java >>  << File: SamOemChangePassword.java >>

More information about the jcifs mailing list